Prep for Security Advisory 2024-02

diff --git a/docs/secpoll.zone b/docs/secpoll.zone
index 3e393b5d496f0a5a519978538569ea8691a985a7..a7d230c6695cf7eb672d8ddfd16ec1fe757e1115 100644 (file)
--- a/docs/secpoll.zone
+++ b/docs/secpoll.zone
@@ -1,4 +1,4 @@
-@       86400   IN  SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2024040501 10800 3600 604800 10800
+@       86400   IN  SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2024042401 10800 3600 604800 10800
 @       3600    IN  NS  pdns-public-ns1.powerdns.com.
 @       3600    IN  NS  pdns-public-ns2.powerdns.com.
 
@@ -359,7 +359,8 @@ recursor-4.8.3.security-status                          60 IN TXT "3 Upgrade now
 recursor-4.8.4.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html"
 recursor-4.8.5.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html"
 recursor-4.8.6.security-status                          60 IN TXT "1 OK"
-recursor-4.8.7.security-status                          60 IN TXT "1 OK"
+recursor-4.8.7.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-02.html"
+recursor-4.8.8.security-status                          60 IN TXT "1 OK"
 recursor-4.9.0-alpha1.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-4.9.0-beta1.security-status                    60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-4.9.0-rc1.security-status                      60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
@@ -367,7 +368,8 @@ recursor-4.9.0.security-status                          60 IN TXT "3 Upgrade now
 recursor-4.9.1.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html"
 recursor-4.9.2.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html"
 recursor-4.9.3.security-status                          60 IN TXT "1 OK"
-recursor-4.9.4.security-status                          60 IN TXT "1 OK"
+recursor-4.9.4.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-02.html"
+recursor-4.9.5.security-status                          60 IN TXT "1 OK"
 recursor-5.0.0-alpha1.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-5.0.0-alpha2.security-status                   60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-5.0.0-beta1.security-status                    60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
@@ -376,7 +378,8 @@ recursor-5.0.0-rc2.security-status                      60 IN TXT "3 Unsupported
 recursor-5.0.0.security-status                          60 IN TXT "3 Unsupported pre-release (known vulnerabilities)"
 recursor-5.0.1.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html"
 recursor-5.0.2.security-status                          60 IN TXT "1 OK"
-recursor-5.0.3.security-status                          60 IN TXT "1 OK"
+recursor-5.0.3.security-status                          60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-02.html"
+recursor-5.0.4.security-status                          60 IN TXT "1 OK"
 
 ; Recursor Debian
 recursor-3.6.2-2.debian.security-status                 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/"

diff --git a/pdns/recursordist/docs/changelog/4.8.rst b/pdns/recursordist/docs/changelog/4.8.rst
index a09aab1680c86dc6cd840450a0a9f6af47403bdc..2db6b78bcbccaa59360767084d375e3125f3c845 100644 (file)
--- a/pdns/recursordist/docs/changelog/4.8.rst
+++ b/pdns/recursordist/docs/changelog/4.8.rst
@@ -1,5 +1,16 @@
 Changelogs for 4.8.X
 ====================
+
+.. changelog::
+   :version: 4.8.8
+  :released: 24th of April 2024
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq:
+
+    `Security advisory 2024-02 <https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-02.html>`__: CVE-2024-25583
+
 .. changelog::
   :version: 4.8.7
   :released: 7th of March 2024

diff --git a/pdns/recursordist/docs/changelog/4.9.rst b/pdns/recursordist/docs/changelog/4.9.rst
index ac93382f9015ec73d9660eee3a6ffc36ca6446b0..f5cd47d859d303f1b4ab4b0b4eb0aa8f59d29fc3 100644 (file)
--- a/pdns/recursordist/docs/changelog/4.9.rst
+++ b/pdns/recursordist/docs/changelog/4.9.rst
@@ -1,6 +1,16 @@
 Changelogs for 4.9.X
 ====================
 
+.. changelog::
+   :version: 4.9.5
+  :released: 24th of April 2024
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq:
+
+    `Security advisory 2024-02 <https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-02.html>`__: CVE-2024-25583
+
 .. changelog::
   :version: 4.9.4
   :released: 7th of March 2024

diff --git a/pdns/recursordist/docs/changelog/5.0.rst b/pdns/recursordist/docs/changelog/5.0.rst
index 7b495c8a658d15b0aa324a54538161585a3c6bf2..c4081578a46dbcd39f6df27c5005891061381545 100644 (file)
--- a/pdns/recursordist/docs/changelog/5.0.rst
+++ b/pdns/recursordist/docs/changelog/5.0.rst
@@ -3,6 +3,16 @@ Changelogs for 5.0.X
 
 Before upgrading, it is advised to read the :doc:`../upgrade`.
 
+.. changelog::
+   :version: 5.0.4
+  :released: 24th of April 2024
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq:
+
+    `Security advisory 2024-02 <https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-02.html>`__: CVE-2024-25583
+
 .. changelog::
   :version: 5.0.3
   :released: 7th of March 2024

diff --git a/pdns/recursordist/docs/security-advisories/powerdns-advisory-2024-02.rst b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2024-02.rst
new file mode 100644 (file)
index 0000000..14c8b71
--- /dev/null
+++ b/pdns/recursordist/docs/security-advisories/powerdns-advisory-2024-02.rst
@@ -0,0 +1,21 @@
+PowerDNS Security Advisory 2024-02: if recursive forwarding is configured, crafted responses can lead to a denial of service in Recursor
+========================================================================================================================================
+
+    CVE: CVE-2024-25583
+    Date: 24th of April 2024.
+    Affects: PowerDNS Recursor 4.8.7, 4.9.4 and 5.0.3, earlier versions are not affected
+    Not affected: PowerDNS Recursor 4.8.8, 4.9.5 and 5.0.4
+    Severity: High (only when using recursive forwarding)
+    Impact: Denial of service
+    Exploit: This problem can be triggered by an attacker publishing a crafted zone
+    Risk of system compromise: None
+    Solution: Upgrade to patched version
+
+When using recursive forwarding, a crafted response from an upstream server can cause a Denial of
+Service in the Recursor. The default configuration of the Recursor does not use recursive forwarding
+and is not affected.
+
+CVSS Score: 7.5, only for configurations using recursive forwarding, see
+https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1
+
+The remedy is to update to a patched version.